Minimising risks by designing and implementing an effective control environment

www.pwc.com

Embedding controls to reduce riskEffective Oracle Security & Controls Design and Implementation

An organisation with controls embedded within its processes and operations is not only compliant with regulations; it can react to new opportunities and challenges more effectively. It is not possible to anticipate every risk that arises, however it is possible to position the organisation on a solid foundation from which to manage the business in an effective and efficient way.

This paper will explore the challenges clients face with regards to designing controls and the services PwC can provide to support this.

PwC

Reducing cost, improving reporting and minimising the potential for fraud.

Why do organisations have difficulties implementing effective Oracle controls?A mature controls environment is sometimes the last thought on management’s mind when operating the business day-to-day, however controls can significantly reduce operating costs, improve reporting and minimise the potential for fraud. Every organisation has risks affecting them based on their size, industry, systems, regulatory environment, etc. The issue for management is identifying these risks and the most effective controls to help mitigate them.

Some recurring challenges we see at our clients include:

As part of the design phase of an implementation, all • risks are not identified or when identified, are not in line with the business strategy and objectives;A risk assessment is not performed to prioritise • the significance and prevalence of the risks to the organisation;During implementation, the focus of the systems • integrator is on implementing an Oracle system that works with little regard to the controls that will be operated across each process post go-live;Risk and control activities are not driving process • improvement and value to the business;

The controls identified during implementation are • not correctly mapped to specific risks affecting the organisation, or risks are present without coverage from controls;Management does not know which controls are in place • and/or if they are operating effectively;Configurable controls are not part of the project • documentation such as BP.080 process design documents or BR.100 application setup documents;Automated controls are not optimised in order to • minimise costly manual controls;The organisation has a good knowledge of risks, but do • not have the functional Oracle knowledge to identify the required and most effective controls within the system; andIndividuals within the organisation do not have the • sufficient understanding of Oracle to embed automated controls during implementation.

The diagram below illustrates how an organisation will have a number of control objectives, which are based on different criteria that are important to the business. These objectives will be linked to key risks that are identified by the organisation, which are then mapped to specific controls to mitigate those risks. One risk can have multiple controls, just as one control can mitigate multiple risks.

How can these challenges impact an organisation?Potential fraudulent activity might occur causing damage to the organisation’s reputation or result in a financial • loss;Business processes are not operating as management intended, due to lack of mature controls, leading to • transaction processing errors;Under usage of the automated activities and controls available in Oracle, relying on manual processes/controls. • This can cause errors due to manual processing and can lead to wasted time and money; andControl deficiencies lead to low controls reliance during an audit; resulting in increased audit fees.•

Compliance

Operations

Financial Reporting

Control Objectives Risks ControlsFinancial Statement

Asertions

Information Processing Objectives

Quality

Customer Requirement

Data Protection ActOracle Security

IT General Controls

Manual / Procedural Controls

Oracle Application ControlsFinancial Reporting

Operational

Fraud

Compliance

Compliance

Controls Design Attention to the design, documentation and operation of controls is critical to ensuring the accuracy and timeliness of information used for financial reporting and management decision-making.

As part of an implementation, organisations need to design appropriate controls to mitigate risks in their Oracle environment. PwC has extensive experience of helping organisations meet this challenge and can perform the following activities:

Understand the business objectives and overall strategy • of the organisation, to ensure alignment in business processes and controls;

Understand the impact of planned changes to process • design on risk assessments and controls requirements or design, this can be performed through workshops with business process owners;

Work with management to assess the risks impacting the • organisation for specific business processes, the relevant control objectives and work to create a detailed risk register;

Agree restricted access controls, including segregation • of duties conflicts according to company policy and good practice;

Utilise PwC’s extensive Oracle risk and controls • library to identify target controls to mitigate the identified risks, populate a risk and controls matrix and ensure the identified controls are embedded into project documentation such as BP.080 process design documents or BR.100 application setup documents; and

Utilise PwC’s automated tools to confirm that • automated/configurable controls and user security/segregation of duties are setup within the Oracle system as per the design.

Many of our clients have been up and running with their Oracle application for a number of years and have controls already embedded within their business processes. It is however important to periodically confirm that these controls are still in place and operating effectively.

PwC can perform the following activities as part of a controls confirmation review:

Perform a review of the business processes, risk • registers, and controls matrices to confirm they are aligned to the overall strategy of the organisation;

Evaluate the controls currently in place to confirm • design effectiveness and operating effectiveness using the following techniques:

Risk and controls review, supported by PwC’s • proprietary toolkit, Oracle GATE;

Compare the control environment to PwC’s Oracle • Risk and Controls library to confirm the best available controls are being used and have been configured correctly in the Oracle system; and

Test controls against management’s controls register.•

In addition to the testing of the configurable Oracle • controls, using Oracle GATE, PwC can provide comfort over restricted access and segregation of duties; and

Identify any issues and provide recommendations on • processes and controls improvements, while developing a strategy to remediate control weaknesses and work with management to create more robust controls.

Controls Confirmation

PwC’s Oracle team specialise in helping organisations design controls to mitigate identified risks. With a dedicated team of Oracle Security and Controls professionals based throughout the UK, we have a range of proven methodologies and market leading tools to help design and deliver effective Oracle controls.

Oracle GATE

PwC performs risk and controls reviews, supported by PwC’s proprietary toolkit, Oracle GATE. PwC’s Oracle GATE tool provides an in depth analysis across the Oracle system’s configuration, security and user access.

Oracle Governance Risk & Compliance (GRC) SuiteFor embedded automated controls, GRC can monitor and report on the changes to system settings and can run exception reports, without customising the Oracle application. The GRC Control Suite consists of Access Control, Configuration Controls, Transaction Controls and Preventative Controls. These allow an organisation to efficiently embed preventative controls and appropriate monitoring controls in and around Oracle. GRC Controls enables organisations to define and monitor access controls by identifying and remediating segregation of duty (SOD) violations. It can also be configured to enforce transaction level controls. For example, when a vendor is created and paid by the same user, Oracle can either send an alert to the business owner or prevent the transaction. Configuration controls, such as detecting and recording changes to sensitive standing data can also be implemented.

GATE is utilised to provide assessments over the:

Development of system security;•

Design of user responsibilities; and•

Automated/Configurable controls within the • Oracle modules.

GATE can be used to perform detailed reviews throughout an Oracle implementation or upgrade project, pre and post go-live. The GATE tool accelerates the analysis and appreciation of risks during the configuration phase of a project, and helps to quickly identify the controls required to manage and mitigate them. Parameter set-up reports help pin-point control weaknesses in how a module has been configured. Detailed Segregation of Duties reports provide comprehensive information about users and their access.

Assess Automated Business Process & Security Controls

A risk and controls review, supported by PwC’s proprietary toolkit, Oracle, extracting configurable control settings and security controls for each module on review. These settings will be analysed to establish if any do not meet generally

accepted good practices or expose the client to operational or financial risks.

Access permissions & Segregation of Duties

Analysis is performed on the design of the user responsibilities and assignment of those responsibilities to users, using Oracle GATE. This will establish if any potential weaknesses exist around inappropriate levels of access or segregation of duties.

Recommend Improvements / Continuous Improvement

pwc.com PwC firms provide industry-focused assurance, tax and advisory services to enhance value for their clients. More than 161,000 people in 154 countries in firms across the PwC network share their thinking, experience and solutions to develop fresh perspectives and practical advice. See www.pwc.com for more information.

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2011 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom), which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. NEW-2011-06-09-0850-SR

ContactsNational Jonathan Boulton, Partner jonathan.m.boulton@uk.pwc.com +44(0)77 5392 8434

London - Public Sector Matthew Luscombe matthew.luscombe@uk.pwc.com +44 (0) 7977 405848

London - Private Sector Semsi Sonmez semsi.sonmez@uk.pwc.com +44 (0) 7841 569940

South and East Colin Bezant colin.d.bezant@uk.pwc.com +44 (0) 7715 487592

Midlands Neal Smith neal.r.smith@uk.pwc.com +44 (0) 7725 827697

North and Scotland Daniel Chamings daniel.a.chamings@uk.pwc.com +44 (0) 7967 490435